For the most part our web services are authenticated by a signature included in the HTTP headers. There is a small subset of services which the Portal's browser client uses. When the browser calls these services the Portal's session id is passed as the query parameter sessionId instead.

In either case the server-side authentication is handled by the class edu.upenn.cis.db.mefview.services.SigServerRequestFilter which is an implementation of javax.ws.rs.container.ContainerRequestFilter and is registered in edu.upenn.cis.db.mefview.server.IEEGServices our implementation of javax.ws.rs.core.Application.

SigServerRequestFilter is also responsible for looking up the User object for the name and adding this to the ContainerRequestContext so that it can be accessed in the service's implementation and used for authorization since the filter is only responsible for authentication.

There are two non-browser clients. One is edu.upenn.cis.db.mefview.services.TimeSeriesInterface which is used by the MATLAB toolbox and the other is org.ieeg.cli.ieeg.WebServiceClient which is used by the ieeg command line program.

Both of these register a javax.ws.rs.client.ClientRequestFilter called edu.upenn.cis.db.mefview.services.SigClientRequestFilter. This filter is responsible for calculating the signature for the request and adding the appropriate HTTP headers. The clients use the class edu.upenn.cis.db.mefview.services.UserAndPassword to pass the user's name and hashed password to the filter. There are setUserAndPassword convienience methods in TimeSeriesInterface and WebServiceClient for setting these values. ClientRequestFilter nulls out these values when it is done making the request.

The actual calculation of signatures, both on the client and server is done by the class edu.upenn.cis.db.mefview.services.SignatureGenerator.

Not all services take signature style authc - see SigServerRequestFilter.